Where as DevOps address your deployment pipeline and your operations practices, DevSecOps combines DevOps with security practices early and continuously within a project. This collaboration of two initially separate practices brings about a new level of flexibility and responsiveness while supporting continuous delivery approaches used in lean and agile practices. DevSecOps is also sometimes referred to as a “security as code” approach. eSimplicity combines these approaches (DevOps + Security) early into the project so that security begins when developers start coding, and the pipeline begins. Our developers are trained to think about security at the beginning of a project right in the actual grooming conversations. At eSimplicity, we identify specific acceptance criteria that are focused on DevSecOps, just like a specific user story addresses the human experience. These often include specific security tools, coding compliance, JSON validators, and negative outcomes that must be addressed within each feature during development.

The SIMPLE Experience

Audit and compliance

Information security audits are a systematic, measurable technical assessment of how well ones’ organizational security policy is employed. Performing regular inspections, along with automated alerts and reports, provides accurate insight into the security posture of an organization. Early into the project, eSimplicity identifies the logging, auditing, and compliance acceptance criteria that are necessary for project success. We pursue DevSecOps auditing and compliance as a means to maintain a state of project readiness, whether this means to remain compliant with specific agency requirements and to be responsive to potential external and internal threats. We use our open-source logging frameworks that integrate to Splunk using powerful dashboards and custom alerts to PagerDuty to enable real-time notifications to actionable operational events. 

Vulnerability detection and assessment

Identifying the potential sources for vulnerabilities serves as early input to the DevSecOps practices. Are we using cloud services, open-source and custom code? At eSimplicity, with nearly all of our projects, we combine our delivery pipeline with static, dynamic, image and open source scanning. All of these components can affect your security posture. Our approach automates scanning wherever possible and embeds notifications to Agile team resources when a pipeline scan does not meet specified expectations. With an iterative approach to development with continuous delivery, small changes are isolated and vulnerabilities are more easily identified. After automated scans are complete we introduce periodic penetration tests manual and automated to seek out those potentially complex scenarios that might be exploited when an attacker comes in contact with our applications. In all cases, whether automated or a penetration test eSimplicity tracks any findings to an iterative change and then works to deliver a security resolution as code, process, configuration and/or infrastructure change right into our DevSecOps pipeline.

Security training

Just as one person can not be a team, no single team member can address all components to a project’s security posture. DevSecOps is the responsibility of each team member. eSimplicity team members participate in annual training. Our teams participate and lead hands-on project team training including security competencies such as Threat detection, Vulnerability detection, Network intrusion prevention, Firewall management, etc. all using industry-leading tools: Splunk, Burpsuite, HPArcsight, Palantir and Zap.